Welcome to issue #100 of the Resilient Cyber Newsletter!

One hundred issues in, and the pace has never been higher. As I get home from the Gartner Security & Risk Summit in National Harbor this week, there’s a lot to cover.

The White House signed an executive order on June 2nd titled “Promoting Advanced Artificial Intelligence Innovation and Security,” and the most revealing thing about it is not what it mandates but what it does not. The order creates binding requirements for Federal agencies to accelerate AI-enabled cyber defense while keeping every meaningful obligation for the private sector entirely voluntary. I wrote a full breakdown in The Vulnpocalypse Won’t Wait for Interagency Coordination, and the short version is that the voluntary model collides with exploit timelines measured in hours.

Meanwhile, Anthropic expanded Glasswing to 150+ new partners across 15 countries and began negotiations to give ENISA direct access to Mythos. Cisco scanned 1.8 billion lines of code in eight weeks using frontier AI, work that would have taken eight years, and the Nx Console supply chain compromise showed that 18 minutes of a malicious VSCode extension was enough to breach GitHub’s internal repositories.

On open source sustainability, Jen Easterly proposed a billion-dollar public-interest fund while Dan Lorenc at Chainguard committed $50 million and 100 engineers to become the “maintainer of last resort.” Both are direct responses to the human sustainability crisis I tracked through Daniel Stenberg’s posts in issues #97 through #99.

Root Evidence confirmed that only 1.4% of CVEs are ever exploited in the wild, the Pentagon’s new CISO announced plans to overhaul the Risk Management Framework, and the WSJ reported on “turncoat AI agents” as the new insider threat vector.

Let’s get into it!

Thanks for reading the Resilient Cyber Newsletter! Subscribe for FREE and join 31,000+ readers to receive weekly updates with the latest news across AppSec, Leadership, AI, Supply Chain, and more for Cybersecurity.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

Cyber Leadership & Market Dynamics

I wrote a full analysis of the June 2nd executive order on AI. The order creates binding 30-day and 60-day deadlines for Federal agencies, including CISA Binding Operational Directives for AI-enabled defense, a Treasury-led cybersecurity clearinghouse, and classified NSA benchmarking to define “covered frontier models,” while keeping every private sector obligation voluntary.

The order explicitly prohibits mandatory licensing or preclearance for AI model development. The deregulatory logic has merit, but the voluntary model faces a structural problem I have been tracking since Vulnpocalypse. AI has compressed exploit timelines from months to hours while the latest DBIR shows 43 days as the median to remediate KEV vulnerabilities.

The ambition is real, but whether the institutions can execute at the speed the threat demands is the question that will determine whether this EO matters.

Project Glasswing is expanding from roughly 50 initial partners to over 200, adding sectors underrepresented in the first wave, including power, water, healthcare, and hardware. Anthropic also confidentially filed its IPO prospectus with the SEC.

The expansion validates the thesis I have been tracking since Glasswing launched. AI-driven vulnerability discovery at this scale cannot remain gated to a small group of technology companies, but widening the pipeline only works if the downstream systems can absorb it.

Anthropic communicated its decision to the European Commission over the weekend, making ENISA the first EU agency to receive access to Mythos. The move ends a weeks-long standoff in which Euro-area finance ministers, the European Central Bank, and multiple EU member states demanded access after learning Mythos had found vulnerabilities in systems European governments and critical infrastructure rely on daily.

This is the clearest signal yet that frontier AI models with security capabilities will be treated as strategic assets, subject to access negotiations that look more like arms export controls than software licensing.

Anthropic has made “swift progress” on safety safeguards that would allow Mythos-level models to be released to all customers within weeks. The public release timeline changes everything in the Mythos Scrutiny Arc since issue #95. Until now, disclosure volume was constrained by partner count.

A public release means anyone with an API key can run the same discovery pipeline. A Just Security analysis titled “Too Dangerous to Deploy“ questioned whether any safeguard can be sufficient at this scale. Given how trivial it’s been shown to jailbreak any model, it begs the question why Mythos would be viewed any differently.

DoW CISO Aaron Bishop characterized the current RMF as having a “1990s mentality” that is too slow, too paperwork-heavy, and too disconnected from modern cyber operations. Six months after completing an RMF package, the documentation is already outdated and wrong.

The proposed reform replaces static documentation with telemetry-driven operational awareness. For those of us who have argued that GRC is still in the dark ages, this is an encouraging signal.

Easterly’s argument is simple. Open source sits underneath banks, hospitals, cloud platforms, and government systems, and the maintainers carry enormous responsibility with limited resources. Her proposal is a billion-dollar fund to secure the software commons, supported by frontier AI companies.

Combined with Stenberg’s “The Pressure” post and the Chainguard commitment below, the conversation has moved from abstract concern to concrete proposals with dollar amounts attached. The question is whether the funding arrives before the AI-accelerated disclosure pipeline overwhelms the maintainers holding critical infrastructure together on goodwill.

AI agents are always on, operate with persistent credentials, and can be hijacked without the agent or its operators knowing. The WSJ positions compromised agents as the next generation of insider threat, one that operates at machine speed without the behavioral tells traditional programs rely on.

The answer is the same one I have been writing about since my article on identity as the agentic AI problem. If you cannot answer “what can this agent do,” “on whose behalf,” and “who approved it” the same way you can for a human employee, you are not ready for the autonomy these systems are about to have.

Jerry Gamblin’s data shows 27,758 vulnerabilities published by June 1, a 39% increase over the same period in 2025, which set a record with 48,185 total CVEs. Only 52% of 2025 CVEs have fully enriched NVD data.

AI-assisted discovery is not a spike but a permanent increase in baseline velocity. The organizations that will survive this volume are the ones prioritizing based on exploitability, reachability, and business context.

This is the data every security leader should bring to their next board meeting. Root Evidence’s Q1 2026 “Stop Counting CVEs” report found that only 1.4% of CVEs are known to be exploited in real-world attacks.

Common prioritization signals, including CVSS, EPSS, and Metasploit modules, all perform poorly as indicators of actual exploitation. When 98.6% of vulnerabilities are never exploited, the organizations chasing zero CVEs are doing risk theater, not risk management.

CoSAI released a five-layer model that maps accountability across the full AI stack and assigns exactly one responsible party to each component. When something goes wrong with an AI system, who is responsible?

The answer today for most organizations is “nobody, because we never defined it.” This framework, combined with OWASP’s AIUC-1 crosswalk, is closing the governance gap between AI capability and accountability.

AI

Cisco used a multi-model AI harness, including Claude Mythos Preview and GPT 5.5-Cyber, to scan 1.8 billion lines of code in over 25 languages. Their security research team estimated this would have taken eight years manually.

As a direct consequence, Cisco will shift to biweekly security disclosures starting in July. Cisco’s cadence change is the canary. Other large vendors will follow, and the organizations consuming those advisories need to be ready for twice the volume. This is not a temporary spike, it is the new normal.

This framework applies every core zero-trust principle to agentic workloads, identifying five agent-specific threats including prompt injection, tool poisoning, and identity abuse. Anthropic reports it blocked 95% of jailbreak attempts with minimal latency increase, and it is platform-agnostic.

As I wrote in “Zero Trust Was Built for a Different Kind of Trust Problem,” the principles translate but the implementation patterns are fundamentally different when the actor is an LLM with tool access rather than a human with a browser.

Eighteen minutes. That is how long a trojanized Nx Console VSCode extension (version 18.95.0) needed to be live before automatic updates pushed it to every installed instance, compromising a GitHub employee’s device and exfiltrating internal repositories. CVE-2026-48027 has been added to the CISA KEV catalog.

In a separate “Megalodon” campaign, malicious GitHub Action workflows harvested CI/CD secrets and cloud credentials from public repositories. The development environment is now the primary attack surface.

Dan Lorenc’s post is one of the most significant commitments to open source sustainability from a commercial entity I have seen in 20 years. AI models like Mythos can find hundreds of vulnerabilities overnight across projects maintained by one person with no obligation to patch.

Chainguard will build trust infrastructure for open source consumption by becoming the “maintainer of last resort.” Lorenc outlines three futures. The naive one where we pretend the current model works. The chaotic one where disclosure floods the ecosystem. And the hard fork, a deliberate decision to build one disclosure pipeline that works at scale.

AWS continues building out the AgentCore identity infrastructure. The new resource-based policies give SaaS providers centralized control over who can access AgentCore Runtime resources, with explicit Deny statements blocking requests not from approved VPCs and tool interceptors validating JWT claims.

Combined with AWS AgentCore OBO delegation, Uber’s agent identity architecture, and Google’s Agent Identity, the hyperscalers are converging on a shared pattern. Agent access is governed per-tenant, per-resource, and per-tool, with cryptographic attestation at each hop.

When coding agents generate the majority of new code, scanning the output is necessary but insufficient. The leverage point is the agent itself, specifically the skills, instructions, and context that shape its behavior.

There is no established security infrastructure for agent skills yet. Tessl’s partnership with Snyk to bring scanning to every skill in the Tessl Registry addresses this gap. The unit of security in the agentic era is not the line of code. It is the agent and its capabilities.

Anthropic’s Compliance API provides programmatic access to conversation content and activity event logs from Claude Enterprise, with 28 integrations spanning CrowdStrike, Purview, Okta, Wiz, Zscaler, and others.

Enterprise AI platforms are becoming first-class objects in security graphs. Governance and observability are the next gate for enterprise AI adoption, and Anthropic is treating them as first-class product requirements rather than afterthoughts.

If you are implementing zero trust and want the most detailed government playbook available, this is it. The NSA’s interactive ZIG webpage defines 77 activities across two phases for transitioning to target-level zero-trust maturity, designed for DoD, DIB, and NSS organizations.

The interactive format with checklists and tasks moves zero trust from whiteboard strategy to executable work items. Combined with Anthropic’s Zero Trust for AI Agents framework, the zero-trust paradigm is extending from network architecture to agent architecture in real time.

AppSec

Claude-BugHunter packages 51 skills across 24 vulnerability classes, drawing from 681 disclosed HackerOne report patterns. The capability of coding agents is increasingly defined by the skills they carry rather than the tools they connect to. Skills like these make agent security tooling more capable while raising the stakes for skill supply chain integrity.

Garrity’s VulnCheck analysis provides the operational context that Gamblin’s macro numbers need. AI-assisted discovery is compressing time between publication and exploitation while volume outpaces every downstream system.

The organizations succeeding are the ones that have operationalized exploitability signals, reachability analysis, and business context into their prioritization workflows.

The Agent ID Administrator role in Microsoft Entra ID could be exploited to take over arbitrary service principals beyond agent-related identities, reported in March and patched by April 9. The irony is hard to miss.

The agent identity infrastructure that is supposed to bring agents under governance was itself a privilege escalation vector. Every new identity primitive creates new attack surface.

Jamieson O’Reilly’s work puts AI agents into the messier reality of actual penetration testing engagement scopes, adding practitioner context to the ExploitGym research.

The results confirm that AI offensive capability is real, measurable, and improving on a trajectory defenders need to take seriously. The offensive and defensive capability curves are both accelerating. The question is whether they accelerate symmetrically.

Final Thoughts

Issue #100 arrives at a moment when the abstractions are falling away. Anthropic is giving Mythos access to EU sovereign agencies. Cisco condensed eight years of security research into eight weeks. The Nx Console compromise turned 18 minutes into a breach of GitHub’s internal repositories. Trusted publishing was exploited to distribute malware with valid provenance across 32 Red Hat packages.

The systems we built to manage security at human speed are failing at machine speed. But the responses are proportional to the challenge. Chainguard’s $50 million commitment. Easterly’s billion-dollar fund. Anthropic’s Zero Trust for AI Agents. Root Evidence’s data proving only 1.4% of CVEs are ever exploited, giving defenders a rational basis for prioritization.

You cannot patch your way to safety when AI finds vulnerabilities faster than humans can fix them. You can prioritize ruthlessly, build containment that limits blast radius, and invest in the open source infrastructure that everything else depends on.

One hundred issues in, and the work has never mattered more.

Stay resilient.

Keep Reading